Solved

Ensuring all VLANs/subnets are covered in VA & industry practices

Posted on 2016-10-06
5
121 Views
Last Modified: 2016-11-07
Q1
As governance/compliance person, I'm often not being updated by network teams when
new VLANs / subnets are being created.  Network diagram may not be updated timely too.
What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

Q2
For Cisco switches/routers, is there a way to automatically configure something to obtain
output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or
TACACS+ do this?

Q3
For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only
servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:sunhux
ID: 41831520
We have both Cisco & Nexus switches/routers, so do provide the commands
0
 

Author Comment

by:sunhux
ID: 41831526
This whole thing arises from auditor: how do we ensure and show evidence
that all network segments are scanned (& he meant the relevant segments)
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41831794
As governance/compliance person, I'm often not being updated by network teams when new VLANs / subnets are being created.  Network diagram may not be updated timely too. What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

I think it would be better to look at the routing table to see if new routes were installed. Take a snapshot and then run a compare from time to time. The core switch would be the best place to look it up. I wouldn't look at the VLANs because not all of them might exist on that switch.
Edit: Forgot to mention this. It also depends on your internal routing protocol. For EIGRP, this would work no problem. For OSPF, I would get a routing table from each ASBR as the routes are usually summarized when they cross area boundaries.

For Cisco switches/routers, is there a way to automatically configure something to obtain output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or TACACS+ do this?

Look up Cisco Embedded Event Manager (EEM). There are applets for what you want. Might require a bit of scripting.

For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?

Not sure what you are asking here. Can you please elaborate? What is VA, UAT?
0
 

Author Comment

by:sunhux
ID: 41832853
VA = Vulnerability Assessment
Some VA tools are like Nessus, McAfee Vulnerability Manager

UAT = a User Acceptance Test (ie a test server)
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 500 total points
ID: 41833522
I do network security designs and implementations so systems and policies are not really my forte. From my experience though, vulnerability scanning depends on the corporate policy and the compliance standard a company falls under. Like for PCI, you should scan all devices that fall in the scope. Scanning the rest depends on the policy but usually you scan all internet facing and important servers (AD, DBs, etc) and devices.

Management VLAN should be locked down to access only from certain PCs and ideally those PC's should be scanned.

User PC's usually fall under one departmental or company management policy from AD GPOs and WSUS. You can take a sample of PCs and scan them. The results should be similar.

For DR, it depends what kind of DR. Does it have live data for hot failover? If yes then it falls under the same scanning policy as production. If it's warm DR than you need to scan storage devices with the backup data.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question